Skip to main content

Okta

In this guide, we'll look at how to configure Okta SCIM in Cortex through Cortex's app in the Okta Integration Network.

When Okta SCIM is configured, you can create, import, edit, and deactivate users.

warning

There are a few limitations when using Okta SCIM:

  • A user's email cannot be changed.
  • Only given and family names can be updated.
  • Users can only be reactivated via a PUT operation.

If you're looking to configure Okta SSO, take a look at our SSO guide.

Configuring Okta SCIM with the Cortex OIN app

Prerequisite

If your organization requires you to allowlist domains, then follow these steps before getting started: Ensure that Okta's IP addresses can access your Cortex instance:

  1. In your Cortex instance, click your user avatar in the lower left corner, then click Settings.
  2. On the left side, under Authentication and Access, click IP allowlist. IP Allowlist is in the left menu. Add IP Address is in the upper right
    • If you do not have any IP addresses listed here, then access is allowed from any IP address.
  3. Click Add IP addresses in the upper right.
  4. In the modal that appears, enter an individual IP address or an IP range in CIDR notation, then click Save. Modal for adding IP addresses

1. Add the Cortex OIN app

Add Cortex's OIN app for Okta from this page or from the App integration catalog available under Applications in your Okta instance.

2. Configure the API integration

Open Cortex's app from the Applications page in your Okta admin dashboard and go to the Provisioning tab.

Go to Integration in the Settings panel and click Configure API Integration.

  • Mark Enable API integration.
  • Paste your generated Cortex API key into the API Token field.

Okta OIDC app

Click Test API Credentials and once everything works, click Save.

note

SCIM requires the "Application username format" to be set to Email. To set it, go to Credentials Details in the Sign On tab.

3. Set provisioning in Okta

Once the integration is configured, Okta will give you the option to enable provisioning:

  • Create users: Creates a user in Cortex when the app is assigned to a user in Okta.
    • The default username used to create accounts is set to Okta username.
  • Update user attributes: Okta updates a user's attributes in Cortex when the app in assigned.
    • Cortex only supports updating the user's name (i.e. birth and family names).
  • Deactivate users: Deactivates/deletes a user's Cortex account when the app is unassigned to that user or when their Okta account is deactivated.
    • Accounts can be reactivated if the app is reassigned to the user in Okta.

Check Enable for each of these and click Save.

4. Configure user provisioning in Cortex

Go to SCIM settings in Cortex to set up user deprovisioning and provisioning:

  • Enable automatic deprovisioning of users: Cortex will automatically deprovision any user it detects has been removed from your Okta instance.
  • Enable automatic provisioning of users: Cortex will automatically provision any user it detects has been added to your Okta instance.

You can track which users are provisioned or deprovisioned in the Audit logs.

caution

Enabling automatic provisioning of users may impact seat counts.

Synchronizing user data between Okta and Cortex

To force a data sync between Okta and Cortex, open the Cortex OIN app in your Okta admin dashboard.

  1. Go to the Provisioning tab.
  2. Select To App in the settings panel.
  3. Click the "Force Sync" button under Cortex Attribute Mappings.